Cloud security best practices are the specific, prioritized controls that prevent your cloud environment from becoming a liability. They cover identity, network segmentation, data protection, audit logging, and posture management. The controls that matter most in 2026 address the categories behind the vast majority of cloud breaches: misconfiguration and identity failure, not sophisticated exploits.
That pattern should inform where you start. This checklist is organized by control domain so you can work through it systematically, assign owners per section, and retest on a defined cycle. Every item is actionable against AWS, Azure, and GCP. The checklist does not cover application layer controls, container orchestration security, or endpoint detection, each of which requires separate treatment in the relevant control domain.
Identity and Access: The Highest-Return Control Domain
Identity failure is the leading cause of cloud compromise. When attackers gain access through stolen credentials, over-permissioned service accounts, or absent multi-factor authentication, the downstream damage is limited only by how much your IAM policies allowed. Getting this domain right gives you the highest return of any security investment at the infrastructure level.
Start with least privilege. Every principal, whether human user, service account, or machine identity, should carry only the permissions required for its specific function. In AWS terms, that means scoped IAM policies without wildcards on resource ARNs. In Azure, it means role assignments at the resource group or resource level rather than subscription scope. In GCP, it means custom roles instead of the primitive Owner/Editor bindings. Most environments fail this check because permissions drift upward over time: a developer needs temporary elevated access, it gets granted and never revoked, and six months later that principal is a standing escalation path.
Enable MFA on every human account without exception. The accounts most likely to be excluded from MFA policies are break-glass emergency accounts and shared service accounts, which are also the accounts most attractive to attackers. Hardware keys or authenticator app TOTP are both acceptable; SMS is not, since SIM-swapping attacks make it unreliable as a second factor for privileged access.
Rotate credentials regularly and automate the rotation. Long-lived static credentials, including access keys, service account keys, and API tokens with no expiry, are a persistent vulnerability. AWS IAM credential reports will surface keys older than 90 days. Set an enforcement policy and use IAM Access Analyzer to detect keys that have not been used in 45 days or longer. Unused credentials should be disabled immediately and deleted after a short observation window.
Enforce separation of duties at the account or project level. Production workloads should live in separate accounts from development and staging environments. The humans who deploy to production should not be the same principals who administer production IAM. This is not bureaucracy; it limits blast radius when credentials are compromised and creates an audit trail that distinguishes legitimate from anomalous cross-environment actions.
The identity domain is where cloud security programs generate the fastest measurable improvement. Every major cloud provider publishes tooling that gives you the current state as of 2026: AWS IAM Access Analyzer flags overly permissive policies and unused access keys, Azure Privileged Identity Management tracks standing privileged access, and GCP IAM Recommender surfaces excess permissions based on actual usage data. Running these tools against your environment for the first time typically surfaces dozens of actionable findings in under an hour. Credentials older than 90 days, roles with permissions never exercised in the last 30 days, and service accounts with Owner-level bindings are the most common findings and the ones that translate directly into reduced breach surface when remediated. The fix is not complex; it is a discipline problem, not a tooling problem, and the tooling already exists in your provider console.
Cloud Misconfiguration: The Attack Surface You Own Entirely
Cloud misconfiguration is the category your security team controls entirely. There is no patch cycle, no vendor dependency, and no waiting for a fix. When an S3 bucket is publicly readable or a security group allows inbound 0.0.0.0/0 on port 22, the exposure is immediate and the remediation is immediate. The problem is that most environments contain dozens of these issues and lack the tooling to surface them continuously.
CSPM (Cloud Security Posture Management) tools solve this. Wiz, Orca Security, and Microsoft Defender for Cloud are the most widely deployed at enterprise scale. AWS Security Hub with the CIS AWS Foundations Benchmark enabled gives you a free starting point if your environment is AWS-only. The CIS Benchmarks, published by the Center for Internet Security, provide scored configuration baselines for AWS, Azure, and GCP that map directly to NIST 800-53 control families. Running a CIS Benchmark assessment against your environment is the fastest way to generate a prioritized remediation list.
The most common misconfigurations fall into predictable categories: storage buckets with public access enabled, security groups with overly permissive ingress rules, encryption disabled on storage volumes or database instances, logging not enabled on management API calls, and default VPC configurations used in production instead of purpose-built networks. Each of these has a CIS Benchmark check associated with it. Your CSPM tool should alert on them continuously, not just at the time of your last manual audit.
One configuration failure worth calling out specifically is the metadata service. The EC2 Instance Metadata Service v1 (IMDSv1) allows any process on an instance to retrieve the IAM role credentials attached to that instance via an unauthenticated HTTP call to 169.254.169.254. SSRF vulnerabilities that hit that endpoint have been responsible for several high-profile cloud breaches. Migrating all instances to IMDSv2, which requires a session-oriented request with a token, is a single configuration change with a significant security payoff.
The Shared Responsibility Model and What It Means for Your Controls
The shared responsibility model defines which security controls belong to the cloud provider and which belong to you. AWS, Azure, and GCP all publish their version of this model, and while the framing differs slightly, the core principle is consistent: the provider secures the infrastructure, you secure what runs on it.
In practice, this means the provider handles physical datacenter security, hypervisor patching, and the underlying network fabric. You are responsible for operating system patching on IaaS compute, application code, network access controls you configure, data classification and encryption, identity management, and audit logging above the infrastructure layer. For PaaS and SaaS services, the provider takes on more of the stack, but you still own data protection, access configuration, and anything you deploy into the service.
The shared responsibility model matters because organizations routinely miscalibrate it. Teams assume the provider handles more than it does, particularly around encryption at rest (often not enabled by default on older service configurations), network isolation (default VPCs are not hardened configurations), and logging (CloudTrail management events are enabled by default in AWS, but data events, which capture S3 object-level access and Lambda invocations, require explicit configuration). Understanding exactly where the boundary sits lets you build a controls inventory that has no gaps in coverage.
The practical consequence of the shared responsibility model is a controls inventory gap that appears in predictable places. In IaaS deployments, teams frequently assume the cloud provider manages operating system patching, but patching the OS on an EC2 instance or Azure VM is entirely the customer’s responsibility. In managed database services like RDS, the provider patches the database engine but the customer configures network access, manages credentials, enables encryption, and controls audit logging. In SaaS, the provider manages nearly the full stack, but the customer still controls who has access and what data is uploaded. Running through your workload portfolio and mapping each service tier to its actual responsibility boundary is a one-time exercise that prevents the miscalibration errors that show up repeatedly in cloud incident postmortems and in the AWS Shared Responsibility Model documentation itself.
For a deeper treatment of how this applies to network-layer decisions in multi-cloud environments, the analysis on cloud network security covers segmentation strategy, transit gateway design, and east-west traffic controls in detail.
Network Controls: Segmentation, Ingress, and East-West Traffic
Network security in cloud environments requires different thinking than on-premises perimeter defense. There is no physical perimeter to defend. The equivalent controls are security groups, network ACLs, VPC segmentation, private endpoints, and service-aware firewalls that understand your application topology.
Every workload should live in a VPC (or equivalent virtual network) that was built for it, not in a default VPC that was never hardened. Subnet segmentation should reflect your trust tiers: public subnets for load balancers, private subnets for application servers, isolated subnets for databases. Security groups should be stateful, scoped to named sources rather than CIDR ranges where possible, and reviewed against the principle of least connectivity. If an application server does not need to accept inbound traffic from the internet, its security group should not permit it, regardless of what the load balancer in front of it does.
Eliminate all unnecessary public IP assignments. Resources in private subnets should reach the internet through a NAT gateway if they need outbound connectivity, not through a public IP that creates inbound exposure. Private endpoints for cloud provider services, including AWS PrivateLink, Azure Private Endpoint, and GCP Private Service Connect, keep traffic on the provider backbone rather than routing through the public internet, which eliminates an entire category of network-level risk for your internal service-to-service calls.
East-west traffic controls are often neglected because teams focus on ingress. If an attacker compromises one workload in your environment, how far can they move laterally? Micro-segmentation, enforced through security group rules that deny traffic between application tiers except on explicitly allowed ports and protocols, contains the blast radius significantly. In AWS environments with many VPCs, AWS Network Firewall or a third-party NGFW in a centralized inspection VPC can enforce east-west policies at scale.
Data Protection: Encryption at Rest and in Transit
Data protection in cloud environments rests on two pillars: encryption at rest for stored data and encryption in transit for data moving between services or leaving your environment. Both are achievable with native provider tools and should be treated as non-negotiable defaults rather than optional hardening steps.
Encryption at rest should be enabled on every storage resource: S3 buckets, EBS volumes, RDS instances, DynamoDB tables, Blob Storage accounts, Cloud Storage buckets. Most cloud providers now default to encryption at rest using provider-managed keys, but provider-managed keys offer limited auditability and no ability to revoke access by destroying a key. For sensitive workloads, customer-managed keys via AWS KMS, Azure Key Vault, or GCP Cloud KMS give you key rotation control, detailed audit logs of every cryptographic operation, and the ability to disable or delete a key to prevent access to data that key protects.
Encryption in transit means TLS 1.2 or higher on every service endpoint, internal and external. Internal services often skip TLS on the assumption that the VPC perimeter protects them. That assumption breaks down under several realistic attack scenarios: a misconfigured security group, a compromised instance doing ARP spoofing, or a supply chain attack on a shared library. Enforce TLS minimum version policies at the load balancer and API gateway level, and audit service-to-service traffic within your environment to ensure nothing communicates in plaintext.
Data classification determines how aggressively you protect specific datasets. Without a classification policy, every dataset ends up protected to the same level, which is typically calibrated to the least sensitive data and ends up insufficient for your most sensitive. Map your data to classification tiers, and let those tiers drive encryption key management decisions, access control granularity, and retention policies.
The controls above integrate with broader data lifecycle management. The coverage on cloud data security goes deeper on classification frameworks, tokenization, and data loss prevention controls for cloud-native architectures.
Logging, Monitoring, and Incident Detection
A cloud environment you cannot see is a cloud environment you cannot defend. Logging, monitoring, and alerting are the foundation of any incident detection capability, and in cloud environments they require deliberate configuration rather than passive defaults.
In AWS, CloudTrail records API calls made against your account. Enable it in all regions with multi-region trail configuration, log to an S3 bucket in a separate dedicated logging account with MFA delete enabled, and turn on log file validation so you can detect tampering. CloudTrail management events capture administrative actions; data events capture object-level access on S3 and Lambda invocations. Both matter for forensic completeness. In GCP, Cloud Audit Logs provides the equivalent, with Admin Activity and Data Access logs covering the same categories. In Azure, Azure Activity Log combined with Microsoft Entra ID audit logs gives you the same visibility surface.
Logging infrastructure is only useful if someone or something is actually reviewing it. Connect your cloud logs to a SIEM or cloud-native detection service. AWS GuardDuty performs continuous threat detection against CloudTrail, DNS query logs, and VPC flow logs using threat intelligence and machine learning, alerting on specific finding types including credential exfiltration, cryptocurrency mining, and unusual API call patterns, without requiring you to write detection rules from scratch. Equivalent services exist on other providers: Microsoft Defender for Cloud, GCP Security Command Center.
Define your detection coverage in terms of specific threat scenarios. Which alerts fire when someone disables CloudTrail? When an IAM user creates a new access key outside business hours? When a security group is modified to allow 0.0.0.0/0 inbound? When the root account is used? These are not edge cases; they are the leading indicators of active compromise and insider threat. If your monitoring does not alert on them, your logging investment is not translating into detection capability.
Detection coverage maps directly to dwell time reduction. The scenarios most likely to indicate active compromise in a cloud environment are not exotic: they are root account login, console login from an IP outside your known range, a new administrator IAM user created by a non-admin account, CloudTrail disabled or modified, a security group opened to 0.0.0.0/0, and an S3 bucket policy changed to allow public access. These six scenarios should each have a dedicated alert with a tested response runbook. GuardDuty covers several of them automatically against your CloudTrail and VPC flow logs, but the security group and bucket policy scenarios require custom EventBridge rules targeting AWS Config change notifications. Testing these alerts quarterly by staging the scenario in a non-production account confirms they fire before you need them in an actual incident.
Posture Management and Continuous Compliance
Security posture is not a state you achieve once; it is a condition you maintain continuously against an environment that changes constantly. New resources get provisioned, configurations drift, permissions expand, and previously acceptable patterns become risks as the threat environment evolves. Posture management is the practice of measuring your environment against a defined baseline continuously and closing gaps as they appear.
CNAPP (Cloud-Native Application Protection Platform) tools combine CSPM, workload protection, identity analysis, and shift-left scanning into a single control plane. They give you visibility across multiple cloud accounts and providers from a single console, which matters when your environment spans AWS, Azure, and GCP in parallel. Wiz, Lacework, and Prisma Cloud are the leading platforms at enterprise scale. For teams earlier in their security maturity, AWS Security Hub with CIS Benchmark controls enabled provides a meaningful starting point at low cost.
Map your controls to a framework. NIST 800-53 is the most comprehensive and maps well to cloud environments; its control families (AC for access control, AU for audit and accountability, SC for system and communications protection) align directly with the cloud-native controls described in this checklist. CIS Controls v8 provides a more prescriptive, tiered implementation guide that is particularly useful for teams building a program from the ground up.
Audit frequency should be driven by your change rate. For environments where infrastructure is deployed and modified daily through CI/CD pipelines, continuous automated scanning is the only approach that keeps pace. For more static environments, a quarterly manual review against your control baseline, supplemented by automated drift detection, is a reasonable minimum. The cloud security best practices in this checklist give you the baseline criteria for that review; the important thing is that you measure against them consistently and close gaps before they are exploited.
For teams extending these controls into application workloads and container environments, the analysis of cloud-native security practices covers Kubernetes security, image scanning, runtime protection, and supply chain controls in depth.
CSPM and CNAPP Tool Comparison by Use Case
Selecting the right posture management tooling depends on your environment maturity, multi-cloud footprint, and budget. The table below compares the primary options security teams evaluate in 2026 based on publicly documented capabilities and pricing models.
| Tool | Best For | Multi-Cloud | Starting Cost | Key Differentiator |
|---|---|---|---|---|
| Wiz | Enterprise full-stack visibility | AWS, Azure, GCP, OCI | Custom pricing | Graph-based attack path analysis across identity, workloads, and data |
| Orca Security | Agentless cloud asset scanning | AWS, Azure, GCP | Custom pricing | Side-scanning technology reads cloud storage directly, no agent install required |
| Lacework | Behavioral anomaly detection | AWS, Azure, GCP | Custom pricing | Polygraph data platform builds behavioral baselines and flags deviations |
| Prisma Cloud | Full CNAPP with code security | AWS, Azure, GCP, OCI, Alibaba | Credit-based model | Broadest coverage from code to runtime; integrates with CI/CD pipelines |
| AWS Security Hub | AWS-only environments | AWS only | $0.0010 per check | Native integration with GuardDuty, Inspector, Macie; no additional agent required |
| Microsoft Defender for Cloud | Azure-primary environments | AWS, Azure, GCP | Free tier available | Deep Azure integration; Secure Score tracks posture change over time |
AWS Security Hub at $0.0010 per check is the entry point for teams that need structured posture scoring without enterprise-level spend. All options above are validated against the CIS Benchmarks for their respective providers. For teams running purely on AWS, Security Hub plus GuardDuty covers the foundational detection and posture requirements before a dedicated CNAPP is justified by scale.
2026 Cloud Security Checklist by Control Domain
The following items represent the priority controls across each domain. Treat each as a verification point with an owner and a retest date assigned. These are the cloud security best practices that translate directly into fewer incidents and shorter dwell times when something does go wrong. Current as of June 2026, validated against AWS, Azure, and GCP service capabilities.
Identity controls:
- MFA enforced on all human accounts including break-glass emergency access accounts, using hardware keys or authenticator app TOTP, not SMS.
- Least-privilege IAM policies in place with no wildcard resource ARNs; all permissions scoped to specific resources and actions.
- Access key age enforcement at 90 days maximum; IAM credential reports reviewed on this cycle.
- Unused credential detection configured via IAM Access Analyzer; any key inactive for 45 or more days disabled immediately.
- Service account key inventory maintained with documented rotation schedule; static keys replaced by workload identity federation where supported.
- Separation of duties enforced between production deploy principals and production IAM administrators.
Posture and misconfiguration controls:
- CSPM tool deployed with CIS Benchmark checks enabled; findings reviewed and assigned to owners on a weekly cadence.
- No storage buckets with public access enabled unless explicitly reviewed, documented, and approved through a formal exception process.
- IMDSv2 enforced on all EC2 instances; IMDSv1 disabled at the account level via AWS Organizations SCP where possible.
- Encryption at rest enabled on all storage resources; customer-managed keys in AWS KMS, Azure Key Vault, or GCP Cloud KMS for sensitive data tiers.
- Default VPCs unused in all production accounts; purpose-built VPCs with documented subnet segmentation in place.
- Logging enabled on all management API calls across every account and region; log retention set to a minimum of 12 months.
Network controls:
- Production workloads deployed in purpose-built VPCs with subnet segmentation by trust tier: public for load balancers, private for application servers, isolated for databases.
- No unnecessary public IP assignments on resources in private subnets; outbound internet access routed through NAT gateways.
- Private endpoints deployed for cloud provider service access: AWS PrivateLink, Azure Private Endpoint, or GCP Private Service Connect as applicable.
- Security groups reviewed quarterly against the principle of least connectivity; no inbound 0.0.0.0/0 rules except on public-facing load balancers.
- East-west traffic controls enforced through security group rules that deny cross-tier traffic except on explicitly allowed ports and protocols.
- VPC flow logs enabled and routed to centralized logging; used as a signal source for GuardDuty and anomaly detection.
Logging and detection controls:
- CloudTrail or equivalent enabled in all regions with multi-region trail; logs centralized to an immutable S3 bucket in a dedicated logging account with MFA delete enabled.
- Data events enabled for sensitive services including S3 object-level access and Lambda invocations; log file validation active.
- GuardDuty or equivalent threat detection service active on all accounts; findings integrated into your SIEM or alert routing.
- Detection rules defined and tested for the top threat scenarios: CloudTrail disable, new access key creation outside business hours, root account use, and security group 0.0.0.0/0 modification.
If you are mapping these cloud security best practices to a compliance requirement or planning a programmatic rollout, the Shield Operations team works with security and cloud engineering teams to scope posture assessment and remediation programs. Contact Shield Operations to discuss your environment.
Frequently Asked Questions
What are the most important cloud security best practices?
Identity controls and misconfiguration remediation deliver the highest return. Enforce MFA across all accounts, apply least privilege to every IAM principal, and run continuous CSPM scanning to detect configuration drift. These two domains account for the bulk of cloud security incidents across all major providers and all industry verticals.
What is the shared responsibility model?
The shared responsibility model defines which security tasks belong to the cloud provider and which belong to you. The provider secures the physical infrastructure and hypervisor layer. You are responsible for operating system patching, network configuration, IAM policies, data encryption, and audit logging. The exact boundary shifts depending on whether you use IaaS, PaaS, or SaaS services.
What causes most cloud security breaches?
Security researchers and providers consistently identify misconfiguration and identity failure as the dominant causes. Publicly accessible storage buckets, overly permissive IAM roles, absent MFA, and long-lived static credentials create the conditions most breaches exploit. Sophisticated zero-day attacks are far less common than these preventable configuration errors.
How often should you audit cloud security?
For environments with active CI/CD deployment pipelines, continuous automated scanning is the baseline requirement. Manual reviews against your control framework should happen quarterly at minimum. After any significant architectural change, an immediate targeted audit of the affected control domains is warranted. Annual-only audits are insufficient for any actively changing environment.
